Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Admin Rights in GPO to Run a .BAT File

Posted on 2013-01-16
6
Medium Priority
?
860 Views
Last Modified: 2013-01-16
Hello,

I am trying to run a simple .BAT file that will get rid of previous versions of Java and I want to use Group Policy to distribute it.  I have it setup as a startup script in the Group Policy Manager and it works great ... as long as the user logs in with the local or domain Admin account :S

I thought using the startup script in GPM automatically used system admin rights.  Did I miss a step there?

I've tried to find a few simple solutions across the web, but they all seem to involve putting the admin account info in the BAT file ... something I do NOT want to do.

BTW, I am far from a programmer (my BAT file simply has one command in it).  So bear with me.  Also running a Windows 2008 R2 environment and the client machines are Win7.

Any help would be appreciated.
0
Comment
Question by:qec-dpenney
  • 3
  • 2
6 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 38782813
You're not using a startup script then, but a logon script.
Look under "Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)".
The startup script will run with System rights, and it will run without a user logging on.
Use this batch file as a template; it will create a startup.log file in %Systemroot%\Temp:
>>"C:Windows\Temp\startup.log" echo Startup script started at %Date% %Time%
>>"%Systemroot%\Temp\startup.log"  echo Running as:
whoami.exe >>"%Systemroot%\Temp\startup.log"
REM Your Java command:

Open in new window

Then assign the GPO to a test computer and reboot the machine. You can check whether the script ran without logging on; in an elevated command prompt, enter type \\TestMachine\Admin$\Temp\startup.log.
0
 

Author Comment

by:qec-dpenney
ID: 38782887
Here is the odd thing ... it is setup under the Startup script ... and I assume the BAT is running at start up since the login in process really takes no time at all to load.  However, If I log as the user, Java is not removed, if I log as either the local or domain admin, Java is removed.

I will try your test BAT though and get back to you, just to make sure I didn't mess anything up.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 38782951
Are you using the script here to remove Java ??

http://community.spiceworks.com/scripts/show/1449-uninstall-java-6
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 

Author Comment

by:qec-dpenney
ID: 38782975
Yes, but just the command line.  This is my '.BAT file';

wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive

wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive

wmic product where "name like 'Java 7%%'" call uninstall /nointeractive

exit
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 38783003
Try this then; it adds some more logging:
@echo off
>>"C:Windows\Temp\startup.log" echo Startup script started at %Date% %Time%
>>"%Systemroot%\Temp\startup.log"  echo Running as:
whoami.exe >>"%Systemroot%\Temp\startup.log"
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java(TM) 6%%%%' ...
wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java(TM) 7%%%%' ...
wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java 7%%%%' ...
wmic product where "name like 'Java 7%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo Startup script ended at %Date% %Time%

Open in new window

0
 

Author Comment

by:qec-dpenney
ID: 38783328
It looks like it is now working.  Thanks for your help with this.  I updated my BAT file with your improved logging BAT file (didn't change any of the GPO settings though) and it looks like it is working.

I think my issue was I was expecting the GPO update to occur too quickly.  With my testing, I had to reboot 3 or 4 times in order for the update to occur, but I kept logging in as a local user (no admin rights) and eventually all Java instances disappeared.

Your logging BAT file helped me determine if it was running and if it was successful (had a couple of 1603 instances instead of 0 ... that may have been an issue as well)

Thanks for your help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question